feat(rgds): scaffold platform-rgds delivery lane

.github/workflows/ci.yml

@@ -33,12 +33,18 @@ jobs:
           version: '0.11.0'
           cache-dependency-glob: |
             scripts/render_bootstrap.py
+            scripts/render_rgds.py
 
       - name: Setup Helm
         uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
         with:
           version: v4.0.4
 
+      - name: Setup CUE
+        uses: cue-lang/setup-cue@a93fa358375740cd8b0078f76355512b9208acb1 # v1.0.1
+        with:
+          version: v0.16.1
+
       - name: Setup Moon Toolchain
         uses: moonrepo/setup-toolchain@261c62cb5b0f580c7be7c8cd0f023a2e96756095 # v0.6.4
         with:

.github/workflows/publish-rgds.yml

@@ -0,0 +1,85 @@
+name: Publish RGD Bundles
+
+on:
+  push:
+    tags:
+      - 'platform-rgds-v*'
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 1
+          persist-credentials: false
+
+      - name: Setup ORAS
+        uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1
+        with:
+          version: 1.3.2
+
+      - name: Resolve Release Target
+        id: target
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          tag="${GITHUB_REF_NAME}"
+          case "${tag}" in
+            platform-rgds-v*) bundle="platform" ;;
+            *)
+              echo "unsupported tag: ${tag}" >&2
+              exit 1
+              ;;
+          esac
+
+          version="${tag#platform-rgds-v}"
+          bundle_dir="rgds/${bundle}"
+          file_version="$(tr -d '\n' < "${bundle_dir}/VERSION")"
+
+          if [ "${version}" != "${file_version}" ]; then
+            echo "Tag version ${version} does not match VERSION ${file_version}" >&2
+            exit 1
+          fi
+
+          {
+            echo "bundle=${bundle}"
+            echo "bundle_name=platform-rgds"
+            echo "version=${version}"
+            echo "bundle_dir=${bundle_dir}"
+            echo "artifact=ghcr.io/gilmanlab/platform/rgds/platform-rgds"
+          } >> "${GITHUB_OUTPUT}"
+
+      - name: Login to GHCR
+        shell: bash
+        run: |
+          set -euo pipefail
+          echo "${{ secrets.GITHUB_TOKEN }}" | \
+            oras login ghcr.io \
+              --username "${{ github.actor }}" \
+              --password-stdin
+
+      - name: Push Bundle Artifact
+        working-directory: ${{ steps.target.outputs.bundle_dir }}/render
+        shell: bash
+        run: |
+          set -euo pipefail
+          oras push \
+            --annotation "org.opencontainers.image.title=${{ steps.target.outputs.bundle_name }}" \
+            --annotation "org.opencontainers.image.description=GilmanLab platform RGD bundle" \
+            --annotation "org.opencontainers.image.version=${{ steps.target.outputs.version }}" \
+            --annotation "org.opencontainers.image.source=https://github.com/${{ github.repository }}" \
+            --annotation "org.opencontainers.image.revision=${{ github.sha }}" \
+            "${{ steps.target.outputs.artifact }}:${{ steps.target.outputs.version }}" \
+            .

.gitignore

@@ -69,6 +69,9 @@ docs/.docusaurus/
 bootstrap/*/.state/
 bootstrap/*/charts/
 bootstrap/**/*.tgz
+cue.mod/gen/
+cue.mod/pkg/
+cue.mod/usr/
 
 # OS / editor
 .DS_Store

.release-please-manifest.json

@@ -1,5 +1,6 @@
 {
   "bootstrap/cilium": "1.2.0",
   "bootstrap/argocd": "1.1.0",
-  "bootstrap/kro": "1.1.0"
+  "bootstrap/kro": "1.1.0",
+  "rgds/platform": "0.1.0"
 }

Justfile

@@ -10,13 +10,25 @@ render:
 render-all:
     uv run scripts/render_bootstrap.py render
 
+# Render the tracked RGD bundle artifacts into their committed paths.
+render-rgds:
+    uv run scripts/render_rgds.py render
+
 # Lint bootstrap charts and verify tracked bootstrap artifacts are in sync and free of embedded secret material.
 validate:
     uv run scripts/render_bootstrap.py validate
 
+# Verify tracked RGD bundle artifacts are in sync and internally consistent.
+validate-rgds:
+    uv run scripts/render_rgds.py validate
+
 # Render tracked artifacts and verify they are current.
-check: render validate
+check: render render-rgds validate validate-rgds
 
 # Show the configured bootstrap components and render lanes.
 list:
     uv run scripts/render_bootstrap.py list
+
+# Show the configured RGD bundles and tracked renders.
+list-rgds:
+    uv run scripts/render_rgds.py list

cue.mod/module.cue

@@ -0,0 +1,4 @@
+module: "github.com/gilmanlab/platform"
+language: {
+	version: "v0.16.0"
+}

moon.yml

@@ -13,11 +13,16 @@ workspace:
 
 tasks:
   check:
-    command: 'uv run scripts/render_bootstrap.py validate'
+    script: |
+      uv run scripts/render_bootstrap.py validate
+      uv run scripts/render_rgds.py validate
     toolchains: 'system'
     inputs:
       - 'bootstrap/**/*'
+      - 'cue.mod/**/*'
+      - 'rgds/**/*'
       - 'scripts/render_bootstrap.py'
+      - 'scripts/render_rgds.py'
     options:
       cache: false
       runInCI: true

release-please-config.json

@@ -54,6 +54,16 @@
         "CHANGELOG.md",
         "VERSION"
       ]
+    },
+    "rgds/platform": {
+      "component": "platform-rgds",
+      "include-component-in-tag": true,
+      "changelog-path": "CHANGELOG.md",
+      "version-file": "VERSION",
+      "exclude-paths": [
+        "CHANGELOG.md",
+        "VERSION"
+      ]
     }
   },
   "changelog-sections": [

rgds/platform/CHANGELOG.md

@@ -0,0 +1 @@
+# Changelog

rgds/platform/VERSION

@@ -0,0 +1 @@
+0.1.0

rgds/platform/bundle.cue

@@ -0,0 +1,14 @@
+package platformrgds
+
+bundle: {
+	name:     "platform-rgds"
+	package:  "rgds/platform"
+	artifact: "ghcr.io/gilmanlab/platform/rgds/platform-rgds"
+	rgdName:  "platform"
+	api: {
+		group:   "platform.gilman.io"
+		version: "v1alpha1"
+		kind:    "Platform"
+		scope:   "Cluster"
+	}
+}

rgds/platform/capabilities/dns/schema.cue

@@ -0,0 +1,5 @@
+package dns
+
+Spec: {
+	zone: "string | required=true | description=\"Authoritative DNS zone for platform-managed records.\""
+}

rgds/platform/capabilities/tls/schema.cue

@@ -0,0 +1,5 @@
+package tls
+
+Spec: {
+	clusterIssuer: "string | required=true | description=\"cert-manager ClusterIssuer used for platform-managed certificates.\""
+}

rgds/platform/platform.cue

@@ -0,0 +1,27 @@
+package platformrgds
+
+import (
+	dnscap "github.com/gilmanlab/platform/rgds/platform/capabilities/dns"
+	tlscap "github.com/gilmanlab/platform/rgds/platform/capabilities/tls"
+)
+
+output: {
+	apiVersion: "kro.run/v1alpha1"
+	kind:       "ResourceGraphDefinition"
+	metadata: {
+		name: bundle.rgdName
+	}
+	spec: {
+		schema: {
+			apiVersion: bundle.api.version
+			kind:       bundle.api.kind
+			group:      bundle.api.group
+			scope:      bundle.api.scope
+			spec: {
+				dns: dnscap.Spec
+				tls: tlscap.Spec
+			}
+		}
+		resources: []
+	}
+}

rgds/platform/render/platform-rgds.yaml

@@ -0,0 +1,24 @@
+# Generated by scripts/render_rgds.py; do not edit by hand.
+# Bundle: platform-rgds
+# Package: rgds/platform
+# Artifact: ghcr.io/gilmanlab/platform/rgds/platform-rgds@0.1.0
+# API: Platform.platform.gilman.io/v1alpha1
+---
+apiVersion: kro.run/v1alpha1
+kind: ResourceGraphDefinition
+metadata:
+  name: platform
+spec:
+  schema:
+    apiVersion: v1alpha1
+    kind: Platform
+    group: platform.gilman.io
+    scope: Cluster
+    spec:
+      dns:
+        zone: string | required=true | description="Authoritative DNS zone for platform-managed
+          records."
+      tls:
+        clusterIssuer: string | required=true | description="cert-manager ClusterIssuer
+          used for platform-managed certificates."
+  resources: []